HMAC Generator

Sign messages with HMAC-SHA1, SHA256, SHA384, or SHA512.

Algorithm

Secret key

Message

Hex

—

Base64

—

HMAC proves a message came from someone who knows the shared key, and that nothing was tampered with in transit. Used to sign webhooks, JWTs, and API requests. Runs locally, your key never leaves the page.

About

HMAC proves a message came from someone who knows the shared key, and that nothing was tampered with. Used to sign webhooks (Stripe, GitHub), JWTs, and API requests. This tool runs entirely in your browser.

How to use

Pick the algorithm.
Enter your secret key.
Enter the message.
Copy the hex or Base64 output.

FAQ

Does my key leave the page?+

No. Hashing happens in your browser via the Web Crypto API. Nothing is sent anywhere.

Which algorithm should I pick?+

SHA-256 is the modern default. Use SHA-1 only when an old API still requires it. SHA-512 is fine if the API specifies it, but offers no real-world advantage over SHA-256 for HMAC.